TL:DW version: a hacker (or group of hackers) managed to become a trusted maintainer of xz project, and used that to build a backdoor into SSH protocols. They almost managed to make it into...
TL:DW version: a hacker (or group of hackers) managed to become a trusted maintainer of xz project, and used that to build a backdoor into SSH protocols. They almost managed to make it into several distros - for a short bit, their backdoor was in Fedora and Debian. Someone by accident noticed how debian SSH calls were taking longer than usual, and reported it to debian, which then they sounded the alarm to everyone else.
TL:DW version: a hacker (or group of hackers) managed to become a trusted maintainer of xz project, and used that to build a backdoor into SSH protocols. They almost managed to make it into several distros - for a short bit, their backdoor was in Fedora and Debian. Someone by accident noticed how debian SSH calls were taking longer than usual, and reported it to debian, which then they sounded the alarm to everyone else.
Original discussion on Tildes:
https://tildes.net/~comp/1fa5/backdoor_in_upstream_libxz_targeting_sshd